nimiq-primitives CVE-2026-54541
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
AC:H for probabilistic peer-selection requirement during active sync; A:L for transient self-healing crash only; C and I are N with no data exposure or state corruption.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify() calls TrieProofNode::child_index() (primitives/src/trie/trie_proof_node.rs:94), which unconditionally unwraps KeyNibbles::get(self.key.len()). Because is_prefix_of returns true for two equal keys, execution reaches get(len), which returns None, and the unwrap() panics.
The panic is reached from untrusted network input (ResponseChunk → commit_chunks → put_chunk → proof.verify()) before any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).
Patches
Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit 41d35ace). child_index now rejects equal-length keys and returns MerkleRadixTrieError::WrongPrefix instead of unwrapping.
Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
AnalysisAI
Panic-induced denial of service in nimiq-primitives (core-rs-albatross <= 1.5.1) allows a malicious state-sync peer to crash a syncing Nimiq blockchain node by sending a crafted TrieChunk whose proof contains two TrieProofNode entries with identical keys. The panic fires in TrieProof::verify() before any cryptographic proof validation occurs, so no valid proof is required to trigger it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: (1) the victim Nimiq node must be actively performing state synchronization - this phase occurs when a node is bootstrapping or catching up and is not continuously active on a fully-synced node; and (2) the attacker's node must be selected as the victim's designated sync peer for the current sync session, a probabilistic outcome in the P2P peer-discovery process that the attacker cannot deterministically force without controlling significant routing infrastructure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately represents real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates a Nimiq node and either joins the peer network naturally or exploits peer-routing to increase the probability of being selected as a victim node's state-sync peer during an active sync session. Once selected, the attacker sends a single crafted TrieChunk message where the embedded TrieProof contains two TrieProofNode entries sharing an identical key, triggering an unwrap panic in TrieProof::verify() before any cryptographic check is reached. … |
| Remediation | Upgrade core-rs-albatross to version 1.6.0, which is the vendor-released patched version confirmed via the release tag at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-46wq-28cx-mhw4